Documentation ¶
Index ¶
- Constants
- Variables
- func CardKeyNotSupported() *apdu.RAPDU
- func CommandCompleted(data []byte) *apdu.RAPDU
- func CommandNotAllowed() *apdu.RAPDU
- func Decrypt(input []byte, diversifier []byte) (output []byte, err error)
- func EncryptOFB(key []byte, iv []byte, input []byte) (output []byte, err error)
- func FileNotFound() *apdu.RAPDU
- func LED(name string, on bool) (err error)
- func Pad(buf []byte, extraBlock bool) []byte
- func ReferencedDataNotFound() *apdu.RAPDU
- func SecurityConditionNotSatisfied() *apdu.RAPDU
- func UnrecoverableError() *apdu.RAPDU
- func VerifyFail(retries byte) *apdu.RAPDU
- func WrongData() *apdu.RAPDU
- type Interface
- func (card *Interface) AID() (aid []byte)
- func (card *Interface) ATR() (atr []byte)
- func (card *Interface) AlgorithmAttributes(subkey *openpgp.Subkey) (data []byte)
- func (card *Interface) AlgorithmInformation() []byte
- func (card *Interface) ApplicationRelatedData() []byte
- func (card *Interface) CAFingerprints() (fingerprints []byte)
- func (card *Interface) CardholderRelatedData() []byte
- func (card *Interface) Command(capdu *apdu.CAPDU) (rapdu *apdu.RAPDU, err error)
- func (card *Interface) ComputeDigitalSignature(data []byte) (rapdu *apdu.RAPDU, err error)
- func (card *Interface) Decipher(data []byte) (rapdu *apdu.RAPDU, err error)
- func (card *Interface) DigitalSignatureCounter() []byte
- func (card *Interface) DiscretionaryData() []byte
- func (card *Interface) Encipher(data []byte) (rapdu *apdu.RAPDU, err error)
- func (card *Interface) Fingerprints() (fingerprints []byte)
- func (card *Interface) GenerateAsymmetricKeyPair(params uint16, crt []byte) (rapdu *apdu.RAPDU, err error)
- func (card *Interface) GenerationEpochs() (epochs []byte)
- func (card *Interface) GetChallenge(n int) (rapdu *apdu.RAPDU, err error)
- func (card *Interface) GetData(tag uint16) (rapdu *apdu.RAPDU, err error)
- func (card *Interface) Init() (err error)
- func (card *Interface) Initialized() bool
- func (card *Interface) KeyInformation() []byte
- func (card *Interface) PWStatusBytes() []byte
- func (card *Interface) PutData(tag uint16) (rapdu *apdu.RAPDU, err error)
- func (card *Interface) RawCommand(buf []byte) ([]byte, error)
- func (card *Interface) Restore(subkey *openpgp.Subkey) *packet.PrivateKey
- func (card *Interface) SecuritySupportTemplate() []byte
- func (card *Interface) Select(file []byte) (rapdu *apdu.RAPDU, _ error)
- func (card *Interface) ServeRPC(rw io.ReadWriter) error
- func (card *Interface) Status() string
- func (card *Interface) Verify(P1 byte, P2 byte, passphrase []byte) (rapdu *apdu.RAPDU, err error)
Constants ¶
const ( // p65, 7.2.11 PSO: DECIPHER, OpenPGP application Version 3.4 RSA_PADDING = 0x00 AES_PADDING = 0x02 )
const ( // p22, 4.4.1 DOs for GET DATA, OpenPGP application Version 3.4 DO_APPLICATION_IDENTIFIER = 0x4f DO_LOGIN_DATA = 0x5e DO_URL = 0x5f50 DO_HISTORICAL_BYTES = 0x5f52 DO_CARDHOLDER_RELATED_DATA = 0x65 DO_APPLICATION_RELATED_DATA = 0x6e DO_SECURITY_SUPPORT_TEMPLATE = 0x7a DO_CARDHOLDER_CERTIFICATE = 0x7f21 // TODO DO_EXTENDED_LENGTH_INFORMATION = 0x7f66 DO_PW_STATUS_BYTES = 0xc4 DO_KEY_INFORMATION = 0xde DO_ALGORITHM_INFORMATION = 0xfa // DOs not directly accessible DO_NAME = 0x5b DO_LANGUAGE = 0x5f2d DO_SEX = 0x5f35 DO_DISCRETIONARY_DATA_OBJECTS = 0x73 DO_EXTENDED_CAPABILITIES = 0xc0 DO_ALGORITHM_ATTRIBUTES_SIG = 0xc1 DO_ALGORITHM_ATTRIBUTES_DEC = 0xc2 DO_ALGORITHM_ATTRIBUTES_AUT = 0xc3 DO_FINGERPRINTS = 0xc5 DO_CA_FINGERPRINTS = 0xc6 DO_GENERATION_EPOCHS = 0xcd DO_DIGITAL_SIGNATURE_COUNTER = 0x93 // p65, 7.2.11 PSO: DECIPHER, OpenPGP application Version 3.4 DO_CIPHER = 0xa6 DO_AES256 = 0xd5 // p72, 7.2.14 GENERATE ASYMMETRIC KEY PAIR, OpenPGP application Version 3.4 DO_PUB_KEY = 0x7f49 DO_RSA_MOD = 0x81 DO_RSA_EXP = 0x82 DO_EXT_PUB_KEY = 0x86 // p33, 4.4.3.9 Algorithm Attributes, OpenPGP application Version 3.4 RSA = 0x01 RSA_KEY_SIZE = 4096 RSA_EXPONENT_SIZE = 32 IMPORT_FORMAT_STANDARD = 0x00 // p33, 4.4.3.8 Key Information, OpenPGP application Version 3.4 KEY_SIG = 0x01 KEY_DEC = 0x02 KEY_AUT = 0x03 KEY_NOT_PRESENT = 0x00 KEY_GENERATED = 0x01 KEY_IMPORTED = 0x02 PW1_MAX_LENGTH = 127 RC_MAX_LENGTH = 127 PW3_MAX_LENGTH = 127 )
const ( // p48, 7.1 Usage of ISO Standard Commands, OpenPGP application Version 3.4. SELECT = 0xa4 GET_DATA = 0xca VERIFY = 0x20 PUT_DATA_1 = 0xda PUT_DATA_2 = 0xdb GENERATE_ASYMMETRIC_KEY_PAIR = 0x47 GET_CHALLENGE = 0x84 PERFORM_SECURITY_OPERATION = 0x2a // Security Operations COMPUTE_DIGITAL_SIGNATURE = 0x9e9a DECIPHER = 0x8086 ENCIPHER = 0x8680 DEFAULT_PW1_ERROR_COUNTER = 3 )
const ( PW_VERIFY = 0x00 PW_LOCK = 0xff // PW1 only valid for one PSO:CDS command PW1_CDS_MULTI = 0x00 PW1_CDS = 0x81 PW1 = 0x82 PW3 = 0x83 )
const DiversifierPGP = "GoKeySNVSOpenPGP"
Diversifier for hardware key derivation (OpenPGP key wrapping).
Variables ¶
Functions ¶
func CardKeyNotSupported ¶
func CommandCompleted ¶
func CommandNotAllowed ¶
func EncryptOFB ¶
EncryptOFB performs symmetric AES encryption using AES-256-OFB. The initialization vector is prepended to the encrypted file, the HMAC for authentication is appended: `iv (16 bytes) || ciphertext || hmac (32 bytes)`.
func FileNotFound ¶
func ReferencedDataNotFound ¶
func UnrecoverableError ¶
func VerifyFail ¶
Types ¶
type Interface ¶
type Interface struct { sync.Mutex // Unique serial number Serial [4]byte // p30, 4.4.3.3 Name, OpenPGP application Version 3.4 Name string // p30, 4.4.3.4 Name, OpenPGP application Version 3.4 Language string // p31, 4.4.3.5 Name, OpenPGP application Version 3.4 Sex string URL string LoginData []byte // enable APDU debugging Debug bool // enable device unique hardware encryption for bundled private keys SNVS bool // Armored secret key ArmoredKey []byte // Secret key Key *openpgp.Entity // Signature subkey Sig *openpgp.Subkey // Decryption subkey Dec *openpgp.Subkey // Authentication subkey Aut *openpgp.Subkey // currently unused CA []*openpgp.Entity // contains filtered or unexported fields }
Interface implements an OpenPGP card instance.
func (*Interface) AID ¶
AID implements p15, 4.2.1 Application Identifier (AID), OpenPGP application Version 3.4.
func (*Interface) AlgorithmAttributes ¶
AlgorithmAttributes builds and returns the Data Objects specified at p34, 4.4.3.9 Algorithm Attributes, OpenPGP application Version 3.4.
func (*Interface) AlgorithmInformation ¶
AlgorithmInformation implements p37, 4.4.3.11 Algorithm Information, OpenPGP application Version 3.4.
The standard is ambiguous on whether this DO needs to be present if algorithm attributes cannot be changed, the DO table suggests this is mandatory but the DO description suggests otherwise.
Given that this implementation does not allow changes, the imported key attributes are returned.
func (*Interface) ApplicationRelatedData ¶
ApplicationRelatedData implements p30, 4.4.3.1 Application Related Data, OpenPGP application Version 3.4.
func (*Interface) CAFingerprints ¶
CAFingerprints collects card OpenPGP CA fingerprints and returns them in Data Object 0xC6. Currently unused (always empty).
func (*Interface) CardholderRelatedData ¶
CardholderRelatedData builds and returns Data Object 0x65.
func (*Interface) Command ¶
Command parses an APDU command and redirects it to the relevant handler. An APDU response is returned.
func (*Interface) ComputeDigitalSignature ¶
ComputeDigitalSignature implements p62, 7.2.10 PSO: COMPUTE DIGITAL SIGNATURE, OpenPGP application Version 3.4.
func (*Interface) Decipher ¶
Decipher implements p65, 7.2.11 PSO: DECIPHER, OpenPGP application Version 3.4.
func (*Interface) DigitalSignatureCounter ¶
func (*Interface) DiscretionaryData ¶
DiscretionaryData builds and returns Data Object 0x73.
func (*Interface) Encipher ¶
Encipher implements p68, 7.2.12 PSO: ENCIPHER, OpenPGP application Version 3.4.
func (*Interface) Fingerprints ¶
Fingerprints collects card OpenPGP subkey fingerprints and returns them in Data Object 0xC5.
func (*Interface) GenerateAsymmetricKeyPair ¶
func (card *Interface) GenerateAsymmetricKeyPair(params uint16, crt []byte) (rapdu *apdu.RAPDU, err error)
GenerateAsymmetricKeyPair implements p72, 7.2.14 GENERATE ASYMMETRIC KEY PAIR, OpenPGP application Version 3.4.
Generation of key pair is not implemented as card personalization is managed outside OpenPGP specifications and the PW3 PIN (required for this mode) is not supported.
Therefore this command can only be used to read public key templates.
func (*Interface) GenerationEpochs ¶
GenerationEpochs collects card OpenPGP creation times and returns them in Data Object 0xCD.
func (*Interface) GetChallenge ¶
GetChallenge implements p74, 7.2.15 GET CHALLENGE, OpenPGP application Version 3.4.
func (*Interface) GetData ¶
GetData implements p57, 7.2.6 GET DATA, OpenPGP application Version 3.4.
func (*Interface) Init ¶
Init initializes the OpenPGP card instance, using passed amored secret key material.
The SNVS argument indicates whether private keys (which are already encrypted with the passphrase unless the user created them without one) are to be stored encrypted at rest with a device specific hardware derived key.
func (*Interface) Initialized ¶
Initialized returns the OpenPGP card initialization state.
func (*Interface) KeyInformation ¶
KeyInformation implements p33, 4.4.3.8 Key Information, OpenPGP application Version 3.4.
This information is required for Yubico OpenPGP attestation, this implementation doesn't (yet) support this feature as its usefulness is questionable. Therefore we just flag all keys as imported (which also happens to be the only allowed mechanism for now).
func (*Interface) PWStatusBytes ¶
PWStatusBytes builds and returns Data Object 0xC4.
func (*Interface) PutData ¶
PutData implements p60, 7.2.8 PUT DATA, OpenPGP application Version 3.4.
This is not implemented (always returns command not allowed) as card personalization is managed outside OpenPGP specifications and the PW3 PIN (required for this command) is not supported.
func (*Interface) RawCommand ¶
RawCommand parses a buffer representing an APDU command and redirects it to the relevant handler. A buffer representing the APDU response is returned.
func (*Interface) Restore ¶
func (card *Interface) Restore(subkey *openpgp.Subkey) *packet.PrivateKey
Restore overwrites decrypted subkeys with their encrypted version, imported at card initialization.
func (*Interface) SecuritySupportTemplate ¶
SecuritySupportTemplate builds and returns Data Object 0x7A.
func (*Interface) Status ¶
Status returns card key fingerprints and encryption status in textual format.
func (*Interface) Verify ¶
Verify implements p51, 7.2.2 VERIFY, OpenPGP application Version 3.4.
Unlike most smartcards, in this implementation PW1 represents the actual private key passphrase and it is used to decrypt the selected OpenPGP private subkey.
Therefore the passphrase/PIN verification status matches the presence of a decrypted subkey in memory.
Verification of the admin password (PW3) is not supported as, in this implementation, card personalization is managed outside OpenPGP specifications.